Restrict NTP access

Answered Question
Oct 2nd, 2007

We have an edge router running NTP and I would like to restrict access to allow this router to sync to a remote time server.

If the remote ntp server is 1.2.3.4

and my router is 6.7.8.9

would this work:

access-list 20 permit 1.2.3.4

access-list 20 deny any

ntp access-group serve-only 20

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 2 months ago

Richard

Thanks for posting back and indicating that my suggestions worked as expected. It makes the forum more useful when people can read a question and can find confirmation that the ideas suggested were implemented and did work.

I am glad to see that you are a regular participant in the forum.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Richard Burts Tue, 10/02/2007 - 08:14

Richard

If you want to restrict where the router can learn time then I believe that you need ntp access-group peer 20. The access-group serve-only controls who can query the router as an NTP server.

Also in my experience if you are going to use the ntp access-group I find that it is best to define both peer access-group and serve-only access group. Using the one to restrict where you can learn with using the other has the effect of not allowing anyone to learn time from this router.

HTH

Rick

wilson_1234_2 Tue, 10/02/2007 - 08:22

Thanks rick,

What I was looking for was more to restrict who has access to the router as a time server.

There was a penetration test done and they flagged the edge routers as able to access them and view the information.

The internal routers are not learning from the edge routers, but , maybe the should be?

Should I still use the "peer" "server-only" controls?

Richard Burts Tue, 10/02/2007 - 08:38

Richard

If you need to respond to the results of the penetration test which reported that they could access the edge router then I would think that the ntp access-group serve-only would restrict their access.

As I said, in my experience using just one of the access-group commands can have unintended consequences. So I would advise you to use both. Without knowing more about your network environment it is hard to give good advice. But I believe that it frequently is best to have edge routers learn time from an Internet source and then to have other network devices learn time from the edge router(s). So I would be very inclined to advise that the internal routers should learn time from the edge router. Where are they currently learning time?

HTH

Rick

wilson_1234_2 Tue, 10/02/2007 - 09:35

I appreciate your reply.

There is a router that sits on the edge of the MPLS network that is configured to a differnet external time source than the two edge routers.

This MPLS router is the time source for everything else in the internal network.

The two edge routers are configured separately and nothing is pointing to them.

Richard Burts Tue, 10/02/2007 - 09:58

Richard

It would be ok to just leave the network devices learning time from the MPLS router. But I would suggest that there would be advantages in configuring the internal network devices to have both the edge routers as well as the MPLS router as NTP servers. The main advantage is in providing redundancy. If for some reason the MPLS router lost its sync with its time source the internal network devices would have no source of NTP time. I faced that situation at a customer site a while back. Due to some things going on externally we lost sync with our preferred NTP source and discovered real advantage in having a backup NTP source.

If there are more than 1 NTP servers configured there is an algorithm in NTP tp choose the one to sync with. If you prefer that they continue to use the MPLS router when it is available there is an option in configuring Cisco routers and switches to identify the preferred server.

HTH

Rick

Correct Answer
Richard Burts Tue, 10/02/2007 - 11:34

Richard

Thanks for posting back and indicating that my suggestions worked as expected. It makes the forum more useful when people can read a question and can find confirmation that the ideas suggested were implemented and did work.

I am glad to see that you are a regular participant in the forum.

HTH

Rick

wilson_1234_2 Tue, 10/02/2007 - 11:46

Thanks for the reply.

I appreciate this forum very much.

It is very useful to have access to knowledge and experience you all have.

I have learned a great deal here.

I answered a question and have 5 points now, so watch out(actually it was just pointing someone to another post).

Thanks.

Actions

This Discussion